Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1015
Views
0
Helpful
16
Replies

Default routing depending on source-address

jxdemel
Level 1
Level 1

‎08-11-2004 01:41 PM

I have the need to use different default-routes depending on the source-address of the packet, when it comes from the content switch (e.g. from a group-address or as response-packet in a conversation with

a content address).

The reason for this requirement ist, that I have one firewall which is connected to both vlan2 and vlan602.

First there are rules, which disallow some traffic between 128.111.1.0 and 128.222.2.0. (addresses are only examples !!)

Second there occurs a routing-triangle which results

in blocking of path through the (statefull) firewall because the firewall sees no completion of the tcp 3-way handshake.

I tried this configuration but it does not work.

Pakets from 128.222.2.x adresses to 128.111.1.x adresses are send directly to the destination because the address in the arp-cache of the content switch.

any ideas ??

ip route 0.0.0.0 0.0.0.0 128.111.1.1 1

ip route 0.0.0.0 0.0.0.0 128.222.2.1 1

!************************* INTERFACE *************************

interface 1/1

trunk

vlan 2

vlan 602

!************************** CIRCUIT **************************

circuit VLAN2

ip address 128.111.1.101 255.255.255.0

ip virtual-router 2 priority 254 preempt

ip redundant-interface 2 128.111.1.100

circuit VLAN602

ip address 128.222.2.101 255.255.255.0

ip virtual-router 102 priority 254 preempt

ip redundant-interface 102 128.222.2.100

Labels:
0 Helpful
16 Replies 16

jxdemel
Level 1
Level 1
In response to Gilles Dufour

‎08-17-2004 06:30 AM

> can't you do the same acl for the reverse path ?

what is the source-group for the reverse path

(I tried it only with the prefer clause and without the source-group but it did not work).

When I have 2 serveres for one content, with each server with

its own source-group to build outgoing connections, this

source-groups have different IP-Addresses !

I have no 6500 --> no CSM

Regards,

Johannes

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to jxdemel

‎08-17-2004 07:33 AM

ok - I understand the problem.

When the response comes back, the CSS uses its flow entry to forward the packet directly to the destination - bypassing the firewall.

There is no solution for that unfortunately.

Regards,

Gilles.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card